[OpenID] OpenID as an attack relay

Martin Foster martin at ethereal-realms.org
Mon Mar 19 16:25:36 UTC 2007

Some sites using my code are experiencing a phenomenon where users 
register, gain access and use a certain component of the site in order 
to attack another service.   They use the systems check of an image URL 
(by retrieving it and getting information on the file) to craft attack 
strings used on vulnerable systems.

While I can create a throttle system that will check to see how often 
modifications were made in that section and slow things down or skip it 
entirely;  it is more difficult to detect such an attack before a user 
even authenticates against the system.

Since by nature OpenID identifiers must be verified to get information 
on the identity provider and so forth, I can envision the OpenID enabled 
version of the code to expose a new portion of itself to behave like an 
attack relay.   Is there anything at all in the specification that can 
thwart such attempts?

	Martin Foster
	Creator/Designer Ethereal Realms
	martin at ethereal-realms.org

More information about the general mailing list